05-05-2005 08:49 AM - edited 02-21-2020 12:07 AM
I am wondering if this is supported. Version 6.34. I have a route outside 0.0.0.0 0.0.0.0 X.X.X.X statement. The PIX is the default gateway for all the internal clients.
I need to send a bunch of publically available subnets to a router on the inside of the LAN.
When I try the config it doesn't route the traffic correctly.
PIX internal IP address is: 10.3.0.250 255.255.0.0
I tried something similar to this: route outside 66.66.66.66 255.255.255.0 10.3.0.6
Internal Router IP address: 10.3.0.6 255.255.0.0
So when you are on the inside of the PIX and you ping 66.66.66.66 it should go to the router at 10.3.0.6. When I input the ping statements, they just timeout.
Could be something on the router but that used to work prior to installing the PIX last night.
05-05-2005 09:54 AM
This should be route INSIDE not outside !!
no route outside 66.66.66.66 255.255.255.0 10.3.0.6
route inside 66.66.66.0 255.255.255.0 10.3.0.6
sincerely
Patrick
05-05-2005 03:14 PM
I think I tried that at some point. When I go back on-site I'll give that a try. My biggest question is, will the PIX be able to route that packet if it stays on the same physical interface. I know if you have two remote site vpn's, they can't talk to each other unless the packet goes from the outside of the pix to the inside and back out again. On 6.34 it doesn't support this type of VPN because the pix can't send the packet out the same physical interface that it received it on. I'm just wondering if that rule applies to the inside as well.
Although the more I think about it the more it makes sense that it would be: route inside.
05-10-2005 10:40 AM
Hey Patrick, I just tried this on the PIX with a route inside statement. I can no longer ping the ip address. Prior to the change I could ping the IP address. If I'm doing the coniguration correctly on the pix and it's not routing, is there something on the other router that might be having issues?
route inside 66.66.66.66 255.255.255.0 10.3.0.251
route inside 66.66.66.67 255.255.255.0 10.3.0.251
route inside 66.66.66.68 255.255.255.0 10.3.0.251
route inside 66.66.66.69 255.255.255.0 10.3.0.251
05-10-2005 02:03 PM
I just found my answer for pix 6.3. I do not know about version 7. But for version 6.3 this is not supported. From the following technote: http://www.cisco.com/warp/public/110/pixfaq.shtml
Work stations between the Cisco Secure PIX Firewall and router should have their gateway pointing to the router, not the PIX. Even though they are directly connected, they will have problems accessing the new internal network if their gateway does not point to the router. The router should have a default gateway directing all unknown traffic to the inside interface of the Cisco Secure PIX Firewall. Installing a route for this new network in the PIX will not work either. The PIX does not route or redirect off the interface it received the packet. Also, make sure your nat statement includes the new network or the major net you are adding.
I will just make that router the default gateway.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide